Compromised Websites Questions

[brand_land]

I have a business hosting in which I have many websites, I was surprised to see that more than 10 of them were hacked into and I lost alot of data.
I found many PHP script-gr files and phishing files which I have deleted but I'm afraid that it's gonna happen again.
what can I do to prevent it and how can I know how the hacker got into my websites ?

 

[Anupam SG]

How did you get to know the sites were "hacked"?
PHP or other malicious files can end up on the server through legitimate users and it is not necessary that the server be hacked for such a thing to occur.
If you were able to trace the files, you can cross check the time-stamps of those files with FTP, Apache, SSH, Exim Logs, to ascertain what exactly happened.
Preventing it from happening again, depends on finding out what exactly caused it to happen in the first place.

 

[sparek-3]

Were the websites using up to date scripts? Were the websites using up to date plugins, themes, components, etc? How reputable were all of those scripts, plugins, themes, components, etc? Granted, the term "reputable" is subjective, but were the scripts, plugins, themes, components being actively developed? Had their developers released an update any time within the past year or 6 months? How many installs do those plugins, themes, etc have installed? Just because "reputable" is subjective does not mean it's a term you should ignore.

What admin dashboard passwords were they using? Were they using easy to guess passwords? Surprisingly - even in 2018 - I see this a lot.

My guess is that the websites were hacked because of 1 of these 2 reasons. And in both cases - this is not a cPanel issue.

If you really want to figure out how they were compromised, then you're going to have to do some digging and educate yourself on how to administer a server. There's a wealth of information out there (Google is your friend) but you have to be willing to put forth the time to study and learn all of this.

 

[brand_land]

How did you get to know the sites were "hacked"?
PHP or other malicious files can end up on the server through legitimate users and it is not necessary that the server be hacked for such a thing to occur.
If you were able to trace the files, you can cross check the time-stamps of those files with FTP, Apache, SSH, Exim Logs, to ascertain what exactly happened.
Preventing it from happening again, depends on finding out what exactly caused it to happen in the first place.

The hacker put an index file with his name and a message that the website was hacked by him and he also put that in his facebook page that he hacked those files
I found the files and I knew the exact time they were put there but I don't how to trace them and what to do with those file.

Were the websites using up to date scripts? Were the websites using up to date plugins, themes, components, etc? How reputable were all of those scripts, plugins, themes, components, etc? Granted, the term "reputable" is subjective, but were the scripts, plugins, themes, components being actively developed? Had their developers released an update any time within the past year or 6 months? How many installs do those plugins, themes, etc have installed? Just because "reputable" is subjective does not mean it's a term you should ignore.

What admin dashboard passwords were they using? Were they using easy to guess passwords? Surprisingly - even in 2018 - I see this a lot.

My guess is that the websites were hacked because of 1 of these 2 reasons. And in both cases - this is not a cPanel issue.

If you really want to figure out how they were compromised, then you're going to have to do some digging and educate yourself on how to administer a server. There's a wealth of information out there (Google is your friend) but you have to be willing to put forth the time to study and learn all of this.

Unfortunately I'm on this job for about a month so it's kind of difficult to check each website to know all the things you said, as for me my websites were very secure and I can guarantee that as one of my websites was attacked more than 300 times a week and thanks to the security measures I take and to Wordfence, they were blocked.

 

[cPanelLauren]

Were the websites using up to date scripts? Were the websites using up to date plugins, themes, components, etc? How reputable were all of those scripts, plugins, themes, components, etc? Granted, the term "reputable" is subjective, but were the scripts, plugins, themes, components being actively developed? Had their developers released an update any time within the past year or 6 months? How many installs do those plugins, themes, etc have installed? Just because "reputable" is subjective does not mean it's a term you should ignore.

What admin dashboard passwords were they using? Were they using easy to guess passwords? Surprisingly - even in 2018 - I see this a lot.

My guess is that the websites were hacked because of 1 of these 2 reasons. And in both cases - this is not a cPanel issue.

If you really want to figure out how they were compromised, then you're going to have to do some digging and educate yourself on how to administer a server. There's a wealth of information out there (Google is your friend) but you have to be willing to put forth the time to study and learn all of this.

I have to second this advice, if you want to find the source of the issue this advice is the most sound advice you can get. It takes some work, you might also try running one of the many malware scanners like ClamAv (Configure ClamAV Scanner - Version 74 Documentation - cPanel Documentation) or LMD (Linux Malware Detect – R-fx Networks)

No malware scanner will be 100% effective though unfortunately.